Friday, October 05, 2007

Oracle and Bridgestream

This news is about a month old, but in case you've been in a cave for the past month (like I have, well not a cave but I've been in China so that's close enough) and don't know, Oracle bought Bridgestream. Now that's 2 things they have on the competition. The Bharosa and Bridgestream acquisitions give them 2 things their major competitors (IBM, Sun, CA, BMC, Novell) don't have.

Role management is a bit of an ambiguous term. It means different things to different people. In the software world, this usually refers to some sort role mining, automation and discovery. There are a few vendors out there doing this (Bridgestream was one, Eurekify is another) and they end up calling their offering role management because it helps automate the whole process of figuring out what the heck an organisation's roles should look like and who should be in these roles.

This all sounds good in theory, but role management in the form I've just described has not exactly taken off. It's one of those things that people keep saying they need to do. Except all they end up doing is sticking a bunch of roles they think will work into their provisioning systems and waiting to see what needs changing later on. Of course, by then it's too late and they have to re-do all the roles. As always, they pay an exorbitant amount of money to a consulting firm (I'm looking at you Accenture and Deloitte, and perhaps IBM too) to do the work.

It's also been a victim of priorities and security maturity levels in organisations. Most are not at the stage where they are ready to look at role mining and automation. Provisioning and access controls are usually the first things that get implemented, then some sort of audit, compliance and reporting capabilities are tagged on to feed off phase 1. Role management ends up being the nice to have...and by then there's no money, no time and no resources available. So we get into the near enough is good enough syndrome.

Yes I know proper role management helps with proper segregation of duties and also keeps auditors happy. But role management as a single discipline does not solve the whole issue. It needs to be used in conjunction with all the other Identity Management capabilities that typically get implemented. The role management/mining vendors have also suffered from being too low on the food chain and not being tied into a major vendor to be dragged along as part of the sale. It's also usually too difficult to integrate into whatever Identity Management software solution an organisation is implementing and becomes another moving part that is usually one of the first things to get thrown away...or at best pushed to phase 5. I've yet to see organisations get past phase 2 or 3 in the space of a few years. Phase 5 will show up...eventually.

And this is where Oracle have just placed themselves in the driver's seat. By buying Bridgestream, they've got another selling point over their competitors. And when organisations do indeed get to that phase 5 (or whatever), guess what...Oracle's going to ride in on their white horse and say they have a tightly integrated solution that has been tested and kicked around in production. I'm sure a few of their customers will want to be early adopters. Oracle will throw in a bunch of financial incentives to ensure that happens. It's the smart thing to do.

And when Oracle's doing this, whoever buys Eurikify (SAP, are you listening? You want to get in the Identity game get ahead - also makes perfect sense if you want to link it all nicely into R/3 and NetWeaver) will be left behind (although they'll still be ahead of the others that are just sitting there hoping sales will fall into their laps while their Identity Management technologies lag behind the competition).

And at some stage, someone's going to realise that just sucking in all your roles (and users) in from HR into your provisioning system only does half the job. Operational roles (stuff that is useful for day-to-day use) are not usually representative of what you find in HR. It helps to have an automated way to figure out what the operational roles really are. It's not going to be easy, and putting in a tool won't be a no brainer, but if it's integrated nicely into the provisioning system it certainly helps cut out a lot of the work...and takes business away from consulting firms that roll out whole teams of fresh graduates (who know nothing) to implement your enterprise security infrastructure for you. Scary isn't it. But we know that's what they do.

The Bridgestream acquisition isn't a huge game breaker. It's just Oracle buying insurance for the future. They may get a few deals here and there because a customer happens to think the world of role management/mining. But it's a smart strategic move.

They're fleshing out their capabilities nicely in the game we know as Enterprise Identity Management. I don't know what the other vendors are doing. For their sake, I hope they're not sitting there in blissful ignorance thinking their market share will not get eaten up by Oracle.

1 comment:

Anonymous said...

This article is interesting in relation to this story.

http://www.iptoday.com/news-article.asp?id=1011&type=business